Pages

Friday, February 22, 2013

ICS-CERT Publishes Honeywell EBI Advisory

Late this afternoon the DHS ICS-CERT published an advisory
for an ActiveX vulnerability for the Honeywell Enterprise Buildings Integrator
(EBI). The vulnerability was reported by Juan Vazquez of Rapid7 in a
coordinated disclosure.

The Advisory

ICS-CERT reports that a moderately skilled attacker using a
social engineering attack could remotely exploit this vulnerability to execute
arbitrary code on the system. ICS-CERT maintains that the need to use a social
engineering attack vector “decreases the likelihood of a successful exploit”
(pg 3). Recent
reports on the success rates for social engineering attacks don’t seem to
support that assertion.

Honeywell recommends that the HscRemoteDeploy.dll be
disabled on “any client or server computers on
affected systems”. They have an update package that accomplishes this, but
recommend that it be only run by a “qualified, trained resource”. Honeywell has
also asked Microsoft to “issue a kill bit for the HscRemoteDeploy.dll in a
future monthly Microsoft Windows security update”. This will disable the DLL on
any machines running the automated Windows update.

No Public Exploit Code, Yet

The advisory reports that there is no known exploit code
publicly available at this time. It also notes that Rapid7 plans on releasing a
Metasploit module for this vulnerability next month. This continues a trend
upon which I have recently reported that white hat researchers are publishing
exploit code even on coordinated disclosure vulnerabilities. Rapid 7 is more
forgiving in their publication process than is Exodus Intelligence since they
are giving owners a reasonable chance to install their system updates before
the exploit code is published. It would be even more forgiving if they held off
their publication until Microsoft publishes the DLL kill bit in their Windows
update.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. Most recently I worked as a QA/R&D Manager in a specialty chemical manufacturing facility. Currently I am working as a freelance writer.